Expand federation local-only bypass list to prevent proxy loops

Add /api-key, /server-startup-utc, /marker-file-timestamp, /mcp-transport,
and /mcpserver/workspace to the FederationMiddleware local-only path list.
These infrastructure and workspace-management endpoints must never be
proxied through federation — they either issue local tokens, serve local
metadata, or handle workspace listing that is inherently per-server.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: sharpninja

src/McpServer.Support.Mcp/Middleware/FederationMiddleware.cs

@@ -25,12 +25,17 @@ public sealed class FederationMiddleware
     /// </summary>
     private static readonly string[] LocalOnlyPrefixes =
     [
-        "/auth",          // OIDC proxy (/auth/config, /auth/device, /auth/token, /auth/ui/*)
-        "/connect",       // Embedded IdentityServer endpoints
-        "/.well-known",   // OIDC discovery documents
-        "/health",        // Health checks
-        "/ready",         // Readiness probe
-        "/swagger",       // Swagger UI
+        "/auth",                 // OIDC proxy (/auth/config, /auth/device, /auth/token, /auth/ui/*)
+        "/connect",              // Embedded IdentityServer endpoints
+        "/.well-known",          // OIDC discovery documents
+        "/health",               // Health checks
+        "/ready",                // Readiness probe
+        "/swagger",              // Swagger UI
+        "/api-key",              // Local workspace token issuance
+        "/server-startup-utc",   // Local server metadata
+        "/marker-file-timestamp", // Local marker file state
+        "/mcp-transport",        // MCP JSON-RPC — clients target servers directly
+        "/mcpserver/workspace",  // Workspace list/info is always local
     ];
 
     private readonly RequestDelegate _next;